The exchange of information across modern networks requires software and hardware that meet increasing stringent security measures. For example, in today's military networks, there is an increasing reliance on global information transfer to all tactical posts. To support this transfer of information, platforms may be expected to operate as nodes in a network-centric tactical environment. This network-centric environment may need to be configured to exhibit varying degrees of autonomy. Such network configurations, however, have safety and security implications for the entire computing infrastructure. This infrastructure may include, for example, real-time processing elements.
Of particular practical concern in the transmission of data that may have a predetermined sensitivity level is how these network-centric systems handle information at different sensitivity levels. In order to transmit information having a predetermined sensitivity level, a certain level of trust may need to be maintained. For example, embedded items within the network (e.g., data storage, processors etc.) may need to be trusted to maintain separation of processes running at different sensitivity levels. Furthermore, such embedded elements may be configured to ensure that access to classified objects (which may refer to passive entities that contain or receive information such as, for example, records, blocks, pages, segments, files, directories, etc.) is limited to appropriately classified subjects. Such classified subjects may include, for example, an entity that causes information to flow. In addition to these features, the embedded elements may be required to manage end-to-end information flow. This is sometimes referred to as data isolation and information flow policy within the network. The information flow policy may be created and/or manipulated by, for example, a network designer.
General requirements in secure networks such as, for example, military networks or intelligence agency networks, or any private secure network configured to transmit data having a plurality of predetermined sensitivities may be, for example: (1) the functions to restrict access and separate data based on predetermined sensitivities should be invoked by the embedded elements on the network; (2) the embedded elements should be configured so as to prevent bypassing; (3) the functions should not be tampered with, and may be, in a word, tamper-proof; and (4) they should have the ability to be evaluated so that they correctly function.
In the past, these general requirements have been met by keeping a variety of physically separate networks, such that the various nodes that are interconnected with one another are configured to handle information of only one sensitivity. By way of example, a number of embedded elements may be coupled together over a network for the transmission of classified information. These embedded elements may, however, only transmit and receive information of one predetermined sensitivity. In other words, all transmission pathways on the network handle data of one and only one predetermined sensitivity of data. Thus, for the transmission of data having a number of predetermined sensitivities, there may need to be a number of different networks having a number of predetermined sensitivities. These sensitivity levels may be, for example, classification levels associated with government-related or non-government-related classifications of information. Sensitivity levels may include classification levels, but may be more broad to include, for example, information that is restricted to certain parties such as between executives and employees within a corporation, for example.
Exemplary of this problem is that a plurality of embedded elements may be configured to handle information classified as secret. This information may only be received by other embedded elements that are configured to properly handle information of this classification. These embedded elements may be used by people having the proper security clearances and “need to know”. One traditional means for ensuring that the appropriate nodes receive information that they are entitled to receive is ensuring that only “secret” embedded elements (or embedded elements having the appropriate permissions to access secret information) are connected to the network. Likewise, information having a classification of “top secret” would be transmitted over a separate network. This is problematic because operators at the nodes on the network may need to have a plurality of computers, one for each of the plurality of classification levels of data that they may receive. For example, it is not unheard of for an operator to have four computers, one for the transmission of top secret information, one for the transmission of secret information, one for the transmission of classified information, and finally, another for the transmission of unclassified information. This example assumes, of course, that the operator has the proper authorization to access such information. While specific references may be made herein to military networks, these problems may also exist in networks such as business-oriented networks such as, for example, wide-area networks (WANs), networks at universities, such as local area networks (LANs), or any network that is configured to handle classified or proprietary information.
An alternative solution to this problem has been to create a secure tunnel of information such that only computers on the tunnel can decrypt or communicate data over the network. This is known as a virtual private network (VPN) and is similar to a peer-to-peer (P2P) network connection where a given end point computer can only receive information of a given classification level. This network configuration and encryption, however, does not allow for the data on the network to have a number of different classifications. Once a computer or processor has entered or otherwise been added to the network, it may have permission to access information throughout the network. Thus, there is no means to properly segregate information based on classification of the data to prevent unauthorized access to the information.
Other traditional means of performing such tasks include the use of a separation kernel on single-processor elements that are configured to handle data having a plurality of predetermined sensitivity levels. Analogous to the separation of networks for the handling of classified information, a separation kernel may be employed to keep information of distinct sensitivities separate within a single processor. Thus, a separation kernel ensures that a processor's functions are associated with partitions that are designed to handle only one type of information. FIG. 1 shows an abstract view of a separation kernel that is known in the prior art for the separation of information within a single processor. As illustrated in FIG. 1, the separation kernel may be configured to ensure that only the information flows depicted by the arrows actually occur. Furthermore, the separation kernel may be configured to ensure that no critical task is bypassed. Finally, another purpose of the separation kernel is to ensure that each task's private data remains private, i.e., that other partitions cannot detect, even by deduction, that another partition is receiving or processing data. One partition should be configured such that it is not aware of the other partitions and it is, itself transparent to the other partitions.
As illustrated in FIG. 1, the separation kernel 100 may include a red protocol machine (“RPM”) 110, which may be configured to receive unencrypted data (i.e., red data) from, for example, a partition within a processor or computer. The red protocol machine 110 may also receive information from the red verifier (“RV”) 121, which is being sent into the processor or computer. When red data is received by the red protocol machine 110, it is transferred to a trusted red switch (“TRS”) 120, which is trusted to receive red information and route that information to the proper encryption algorithm E1, E2, or E3 130, 131, 132, respectively. In one configuration, the separation kernel 100 may include an encryption algorithm that is uniquely associated with the particular sensitivity of information. Furthermore, the trusted red switch 120 may be configured to route data of a particular sensitivity to the correct associated encryption algorithm. Once the appropriate encryption algorithm 130, 131, 132 has been applied to the data, the data may be output to the black verifier (“BV”) 140, which may be configured to ensure that the data output from the encryption algorithms is properly encrypted. The black verifier 140 may then pass the data on to the black protocol machine (“BPM”) 150. The black protocol machine 150 may be configured to receive encrypted data (i.e., black data) from both the black verifier 140 and from other locations within a processor or computer, such as, for example, a storage device. The black protocol machine 150 may receive this data and send it to a black switch (“BS”) 140. The black switch 140 may be configured to receive encrypted data from the black protocol machine 150 and route that data to the appropriate decryption algorithm for further processing. The decryption algorithms (D1, D2, D3) 133, 134, 135 may be associated with particular types of classified data that may be utilized in the system. Furthermore, decryption algorithms 133, 134, and 135 may be configured to decrypt data that was encrypted with an associated encryption algorithm 130, 131, or 132. After the data has been decrypted by the decryption algorithms 133, 134, 135 it may be passed to the red verifier (“RV”) 121, which may be configured to ensure that the data has been appropriately decrypted and to send the data into the red protocol machine 110 to be input into a proper partition within, for example, the processor, for further processing.
The separation kernel is one example of how information of different sensitivities may be permitted to flow within a given processor. Using a separation kernel, an operating system may be configured to be trusted to ensure that the information flow within the processor can be trusted not to improperly allow access to classified information. The separation kernel, however, has been traditionally limited to single-processor systems. The prior art has failed to prove that the same level of trust may be maintained when the information is flowing on a common network between computers having different permissions and which may be configured to have access to predetermined sensitivities or classifications of information.
Thus, there is a need for a network that can support nodes operating at different security levels while being physically connected together over the same network fabric. There is also a need for a hardware and/or software configuration that can be trusted to ensure that security violations do not occur when multiple nodes operating at various sensitivity or classification levels are networked together over the same network fabric. These and other objects, separately and/or in combination are some of the exemplary objects of the present invention.